<SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config"
          xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
          xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
          clockSkew="180">

    <OutOfProcess>
        <Extensions>
            <Library path="memcache-store.so" fatal="true"/>
        </Extensions>
    </OutOfProcess>

    <StorageService type="MEMCACHE" id="mc" prefix="shibboleth2:">
        <Hosts>
            {{ keystone_memcached_servers }}
        </Hosts>
    </StorageService>

    <StorageService type="MEMCACHE" id="mc-ctx" prefix="shibboleth2:" buildMap="1">
        <Hosts>
            {{ keystone_memcached_servers }}
        </Hosts>
    </StorageService>

    <SessionCache type="StorageService" cacheTimeout="{{ horizon_session_timeout }}" StorageService="mc-ctx" StorageServiceLite="mc" />
    <ReplayCache StorageService="mc"/>
    <ArtifactMap StorageService="mc" artifactTTL="180"/>

    <!-- The entityID is the name by which your IdP will know your SP. -->
    <ApplicationDefaults entityID="{{ keystone_service_publicuri }}/shibboleth">

        <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
        <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions -->
        <Sessions lifetime="28800"
                  timeout="3600"
                  relayState="ss:mc"
                  checkAddress="false"
                  handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
                  {% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>

            <!-- Triggers a login request directly to the IdP. -->
            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceSSO -->
            <SSO ECP="true" entityID="{{ keystone_sp.trusted_idp_list.0.entity_ids.0 }}">
                SAML2 SAML1
            </SSO>

            <!-- SAML and local-only logout. -->
            <!-- https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPServiceLogout -->
            <Logout>SAML2 Local</Logout>

            <!--
                Handlers allow you to interact with the SP and gather more information.
                Attribute values received by the SP through SAML will be visible at:
                {{ keystone_service_publicuri }}/Shibboleth.sso/Session
            -->

            <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
            <Handler type="MetadataGenerator"
                     Location="/Metadata"
                     signing="false"/>

            <!-- Status reporting service. -->
            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

            <!-- Session diagnostic service. -->
            <Handler type="Session" Location="/Session" showAttributeValues="true"/>

            <!-- JSON feed of discovery information. -->
            <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
        </Sessions>

        <!--
        Allows overriding of error template information/filenames. You can
        also add attributes with values that can be plugged into the templates.
        -->
        <Errors supportContact="root@localhost"
                helpLocation="/about.html"
                styleSheet="/shibboleth-sp/main.css"/>

        <!--
        Loads and trusts a list of metadata files which describes
        the trusted IdP's and how to communicate with them.
        -->
{% if keystone_sp.trusted_idp_list is defined -%}
    {% for item in keystone_sp.trusted_idp_list %}
        <MetadataProvider type="XML"
                          uri="{{ item.metadata_uri }}"
                          backingFilePath="{{ item.metadata_file }}"
                          reloadInterval="{{ item.metadata_reload }}" />
    {% endfor %}
{% endif %}

        <!-- Map to extract attributes from SAML assertions. -->
        <AttributeExtractor type="XML"
                            validate="true"
                            reloadChanges="false"
                            path="attribute-map.xml"/>

        <!-- Use a SAML query if no attributes are supplied during SSO. -->
        <AttributeResolver type="Query" subjectMatch="true"/>

        <!-- Default filtering policy for recognized attributes, lets other data pass. -->
        <AttributeFilter type="XML"
                         validate="true"
                         path="attribute-policy.xml"/>

        <!-- Your SP generated these credentials. They're used to talk to IdP's. -->
        <CredentialResolver type="File"
                            key="sp-key.pem"
                            certificate="sp-cert.pem"/>

    </ApplicationDefaults>

    <!-- Policies that determine how to process and authenticate runtime messages. -->
    <SecurityPolicyProvider type="XML"
                            validate="true"
                            path="security-policy.xml"/>

    <!-- Low-level configuration about protocols and bindings available for use. -->
    <ProtocolProvider type="XML"
                      validate="true"
                      reloadChanges="false"
                      path="protocols.xml"/>

</SPConfig>
